https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419126#M94080 <P>hi @marrette,</P> <P>Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. </P> <P>Thanks for posting!</P> Mon, 08 Oct 2018 19:09:21 GMT mstjohn_splunk 2018-10-08T19:09:21Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419124#M94078 <P>I have several logs files on several hosts which ingest data from log files which are quite high volume (nearly as high as 2gb/hour on a big day) and are rotated every hour. On rotation the file name will change from Device_01.log to Device_01.log.2018-10-08-12</P> <P>The inputs.conf stanza is configured like so:</P> <PRE><CODE>[monitor:///path/to/logs/...] disabled = false followTail = 0 index = myIndex whitelist = .*\.log$|.*\.log\.\d\d\d\d-\d\d-\d\d-\d\d$ ignoreOlderThan = 1d blacklist = .*ffdc_.*log|messages_.*log|exception_.*log|trace.*log|native*.log|activity.log|systemout*[0-9].log|systemout_.*log|.*-metrics\.[0-9]{1,3}\.log|\d+.\d+.\d+.\d+.\d+.\d+.log|-\d+-\d+-\d+.log sourcetype = myApplication </CODE></PRE> <P>And this works - if Splunk isn't able to keep up with the data coming in before the file is rotated on the hour, it will open the renamed file and read the rest of the data from where it left off. But the source field of the renaming data will be the renamed file, not the actually log file name. So the following Splunk query will show the whole file if a wildcard is used:</P> <PRE><CODE>host=AppServer* index=myIndex source=/path/to/logs/Device_01.log* </CODE></PRE> <P>...but it would be nice if Splunk would keep the source field named with the original file name, not the rolled filename.</P> <P>Is this possible to do? </P> <P>Thanks<BR /> Eddie</P> Tue, 29 Sep 2020 21:34:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419124#M94078 marrette 2020-09-29T21:34:10Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419125#M94079 <P>You could create a props and transforms config to overwrite the value of the source field. Try something like below (regex might require some tweaking). Deploy this on your indexer(s) (or on your heavy forwarder if you use one for this data).</P> <P>props.conf</P> <PRE><CODE>[myApplication] TRANSFORMS-setsource = myApp-setsource </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[myApp-setsource] SOURCE_KEY = MetaData:Source REGEX = (^[^\.]+\.log).* DEST_KEY = MetaData:Source FORMAT = source::$1 </CODE></PRE> <P><A href="https://regex101.com/r/lcKD4Y/1">https://regex101.com/r/lcKD4Y/1</A></P> Mon, 08 Oct 2018 06:44:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419125#M94079 FrankVl 2018-10-08T06:44:43Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419126#M94080 <P>hi @marrette,</P> <P>Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. </P> <P>Thanks for posting!</P> Mon, 08 Oct 2018 19:09:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-ingest-rotated-log-files-without-the-source-filename/m-p/419126#M94080 mstjohn_splunk 2018-10-08T19:09:21Z